Skillv1.1.0

ClawScan security

Mac Dev Staging · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 4, 2026, 4:02 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, instructions, and required actions are coherent with its stated purpose of turning a macOS box into a repeatable local PHP/MariaDB staging server.
Guidance: This skill appears to do what it says, but it performs system-level changes and requires elevated actions you must run as a user: it uses Homebrew to install packages, requires sudo to restart the stock Apache or enable Remote Login, and the build command runs npm in your project directory (so npm scripts will execute). Before running: review the scripts yourself, back up any Apache configs you may modify, run the detection scripts first to confirm state, and do not expose the Mac controller to 0.0.0.0 or the public internet. If you plan to let an agent invoke this skill autonomously, only enable that if you fully trust it, since the scripts can start/stop services and run arbitrary npm build scripts under the provided paths.

Review Dimensions

Purpose & Capability: okName/description match the included scripts and README: detect system state, install Homebrew packages (php, mariadb, nginx, node), render Apache vhosts/snippets, manage services, verify stack, and emit receipts. Nothing requested (no external credentials, no unrelated binaries) appears out of scope.
Instruction Scope: noteSKILL.md directs running the included shell scripts which inspect system files (/etc/apache2), launchctl, systemsetup, lsof/netstat and call sudo for apachectl and systemsetup when applicable. This is expected for a system-level Mac staging setup. Note: controller.sh's build action runs npm in a target directory (which may execute arbitrary package scripts), and write-receipt.sh writes JSONL receipts to a local .mac-dev-staging directory—both are intended but worth reviewing before use.
Install Mechanism: okNo install spec in the registry; the skill is instruction + scripts. The scripts themselves use Homebrew to install packages (brew install) and npm to install global tooling—no downloads from untrusted URLs or archive extraction are present.
Credentials: okThe skill declares no required environment variables or credentials. It renders an optional local gateway env with sensible defaults (including a default MAIN_GATEWAY_HTTP value) but does not require secrets or tokens. Use of sudo is necessary for system changes but is proportional to the stated goals.
Persistence & Privilege: okalways:false and no install hook means the skill does not force permanent inclusion. The scripts may write receipts under a local directory and start/stop services via brew/apachectl when run by the user; they do not attempt to modify other skills or system-wide agent configs.